Fórum Root.cz
Hlavní témata => Sítě => Téma založeno: tuxmartin 19. 10. 2018, 22:20:03
-
Ahoj,
snazim se uz druhym dnem rozjet na Linuxu IPsec server. Do te doby jsem s IPsec nikdy nedelal.
Pouzil jsem strongSwan, ktery ma balicky v Debianu a Ubuntu.
Mam Ubuntu 18.04 a strongSwan 5.6.2 (https://packages.ubuntu.com/bionic/strongswan).
Dalo mi dost prace rozchodit IKEv2 s databazi uzivatelu a IP poolem ve FreeRADIUSu, ale nakonec se podarilo (funkcni je sekce "conn ikev2-vpn").
Pro strongSwan pouzivam Let's Encrypt certifikat.
Bohuzel jak jsem zjistil, oficialni strongSwan app na Androidu funguje, ale MikroTik se k tomutu typu IPsec pripojit neumi (integrovany Android VPN klient ake ne).
Takze se snazim rozchodit strongSwan, aby byl IPsec serverem pro MikroTik (hAp lite (https://www.i4wifi.cz/Bezdraty-2-4-GHz/AP-klienti/Vnitrni/RB941-2nD-hAP-lite-classic-32-MB-RAM-650-MHz-4x-LAN-1x-2-4-GHz-802-11n-L4.html)) klienty.
Idealne bych se rad vyhnul klientskym certifikatum a pouzil jenom jmeno+heslo. Bylo by to mnohem snazsi na nastavovani MikroTiku.
Me snazeni je v sekci "conn xauth-ikev1-mikrotik". Jenze MikroTik se nedokaze pripojit, stale do logu sype tyto chyby:
# tail -F /var/log/syslog | grep "ipsec\|charon"
Oct 19 18:13:51 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:13:51 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:13:51 vpn charon: 08[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:13:51 vpn charon: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:13:51 vpn charon: 08[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:13:51 vpn charon: 08[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:13:51 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:13:51 vpn charon: 08[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:13:51 vpn charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
Oct 19 18:13:51 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:02 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:02 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:02 vpn charon: 06[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:02 vpn charon: 06[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:02 vpn charon: 06[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:02 vpn charon: 06[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:02 vpn charon: 06[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:02 vpn charon: 06[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:02 vpn charon: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => DESTROYING
Oct 19 18:14:02 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:12 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:12 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:12 vpn charon: 13[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:12 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:12 vpn charon: 13[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:12 vpn charon: 13[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:12 vpn charon: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:12 vpn charon: 13[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:12 vpn charon: 13[IKE] IKE_SA (unnamed)[3] state change: CREATED => DESTROYING
Oct 19 18:14:12 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:23 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:23 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:23 vpn charon: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:23 vpn charon: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:23 vpn charon: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:23 vpn charon: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:23 vpn charon: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:23 vpn charon: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:23 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state change: CREATED => DESTROYING
Oct 19 18:14:23 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:34 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:34 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] sha256_96=no
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] mediation=no
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] keyexchange=ikev2
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] algorithm 'saha256' not recognized
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] skipped invalid proposal string: aes128-saha256-ecp256
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 08[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 08[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 08[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 08[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 06[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 06[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 06[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 06[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 06[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 06[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 13[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 13[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 13[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 13[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[IKE] IKE_SA (unnamed)[3] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] IKE_SA (unnamed)[4] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] IKE_SA (unnamed)[5] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 14[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 14[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn charon: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 14[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn charon: 14[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn charon: 14[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn charon: 14[IKE] IKE_SA (unnamed)[6] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:55 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:55 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:55 vpn charon: 05[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:55 vpn charon: 05[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:55 vpn charon: 05[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:55 vpn charon: 05[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:55 vpn charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:55 vpn charon: 05[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:55 vpn charon: 05[IKE] IKE_SA (unnamed)[7] state change: CREATED => DESTROYING
Oct 19 18:14:55 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:15:05 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:15:05 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:15:05 vpn charon: 12[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:15:05 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:15:05 vpn charon: 12[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:15:05 vpn charon: 12[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:15:05 vpn charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:15:05 vpn charon: 12[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:15:05 vpn charon: 12[IKE] IKE_SA (unnamed)[8] state change: CREATED => DESTROYING
Oct 19 18:15:05 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
StrongSwan mam vcetne vsech radius pluginu:
apt-get install strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins
Zde jsou me configy:
# cat /etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
uniqueids=no
# allow multiple connections from a given user
conn xauth-ikev1-mikrotik
auto=add
compress=no
type=tunnel
keyexchange=ikev1
rekey=no
left=%any
leftid=muj.vpn.server.cz
leftauth=psk
leftcert=/etc/strongswan_certs/cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=psk
rightauth2=xauth-radius
xauth=server
authby=xauthpsk
rightsourceip=%radius
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=aes128-saha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
conn ikev2-vpn
auto=add
# On strongSwan startup, load this connection and then wait for clients to connect to it (auto=add)
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
dpdtimeout=1800s
# Enable Dead Peer Detection (DPD), which periodically checks that the
# client is still responding and if it's not then the IKEv2 session and the IPsec tunnel are cleared.
ike=aes256-aes192-aes128-sha384-sha256-sha1-modp3072-modp2048-modp1536-modp1024!
# List our acceptable encryption and message-integrity algorithms, for the authentication and key exchange process.
rekey=no
left=%any
leftid=muj.vpn.server.cz
leftauth=pubkey
leftcert=/etc/strongswan_certs/cert.pem
# Must only contain our public key, not the complete certificate chain!
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
rightsourceip=%radius
#rightsourceip=10.10.10.1-10.10.10.150
# rightsourceip=192.0.2.0/25,2001:db8::/96
# Assign each client dynamic addresses from an IPv4 and an IPv6 pool.
# The first and last addresses in each subnet will not be use
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
# Allow any defined user to connect (provided they're present in ipsec.secrets).
# static IPs are not excluded from the pool you configured in ikev2-vpn !!!!!!!!
#
# And if this static config selection works will also depend on the client.
# If the IKE identity is not the same as the EAP-Identity a match on rightid won't
# be possible (our Android app sets both to the same value, but e.g. the Windows
# IKEv2 client does not)
conn static_ip___staticuserX
also=ikev2-vpn
#the parameters of that section are inherited by the current section
rightid=staticuserX
rightsourceip=10.10.10.200/32
auto=add
# cat /etc/ipsec.secrets
: RSA "/etc/strongswan_certs/key.pem"
: PSK : "secret123"
# cat /etc/strongswan.d/charon.conf
charon {
plugins {
eap-radius {
servers {
primary {
address = 127.0.0.1
secret = testing123
nas_identifer = ipsec-gateway
sockets = 20
preference = 99
}
}
}
xauth-eap {
backend = radius
}
}
}
# cat /etc/freeradius/3.0/users
DEFAULT Pool-Name := main_pool
Fall-Through = Yes
"testuser" Cleartext-Password := "123456789"
"teststatic" Cleartext-Password := "123456789"
Framed-IP-Address := 10.10.10.199,
Framed-IP-Netmask := 255.255.255.0
V MikroTiku jsem se snazil nastavit VPN pomoci:
/ip ipsec peer> add address=6.7.8.9/32 auth-method=pre-shared-key-xauth secret=secret123 xauth-login=testuser xauth-password=123456789
Dokazal by mi nekdo poradit, jak nastavit StrongSwan, aby fungoval, jako IPsec VPN server pro MikroTik klienty?
Rad bych se vyhnul certifikatum, ale jenom spolecne PSK heslo pro vsechny se mi nelibi.
Neni nejaky kompromis, jako PSK + jmeno a heslo k tomu? V MikroTiku mozna secret + xauth-login + xauth-password?
Neco podobneho jsem videl v Android VPN klientovi "IPsec Xauth PSK" - mimochodem take se nepripoji.
Staci mi L3 VPN, proto se mi zda zbytecne pouzivat L2TP/IPsec.
VPN bude slouzit primarne pro VoIP (SIP), takze kazda vrstva, ktera nebude je dobra. VoIP bude mit dalsi zabezpeceni, proto bych se uplne nebal ani Xauth IKEv1, od ktereho jsem byl tak zrazovan .
A VPN musi byt kvuli VoIP UDP - jinak bych pouzil OpenVPN, se kterou mam vyborne zkusenosti - ale MikroTik ji umi jen v TCP rezimu :-(
-
no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
skipped invalid proposal string: aes128-saha256-ecp256
-
So strongSwan ti nepomôžem, ale moje postrehy:
1. Kľudne môžeš použiť UDP v OpenVPN cez TCP. Samozrejme, môže sa to zdať pocitovo pomalšie/horšie, lebo bude cez VPN pretláčať všetky pakety, ale ja to tak mám väčšinou na ADSL linkách (Mikrotik u klienta) a rozdiel oproti priamemu UDP spoju som nepostrehol.
2. Aj cez to, že píšeš že sa tomu chceš vyhnúť, odporúčam použiť L2TP/IPsec - je to jednoduchšie, je to L3, pôjde ti cez to VoIP a pôjde to bez problémov na Androide/iOS/ROS.
-
no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
skipped invalid proposal string: aes128-saha256-ecp256
Toho jsem si vsiml, jen zatim nevim, jak to opravit.
1. Kľudne môžeš použiť UDP v OpenVPN cez TCP. Samozrejme, môže sa to zdať pocitovo pomalšie/horšie, lebo bude cez VPN pretláčať všetky pakety, ale ja to tak mám väčšinou na ADSL linkách (Mikrotik u klienta) a rozdiel oproti priamemu UDP spoju som nepostrehol.
2. Aj cez to, že píšeš že sa tomu chceš vyhnúť, odporúčam použiť L2TP/IPsec - je to jednoduchšie, je to L3, pôjde ti cez to VoIP a pôjde to bez problémov na Androide/iOS/ROS.
1)
Why TCP Over TCP Is A Bad Idea - http://sites.inka.de/bigred/devel/tcp-tcp.html
ale SIP je jen "upravene html", takze to by zas tolik nevadilo.
Problem je RTP. Nemuzu pouzit TCP VPN. Resil jsem to i na odorik.cz foru a opravdu neni dobry napad tunelovat RTP stream VoIP hovoru skrz TCP tunel. Durazne mi doporucili to nedelat.
2)
L2TP/IPsec - mozna to nakonec tak skonci.
Mas nejaky overeny config/navod, jak nastavit mnou pozadovane?
-
Hlavne je treba mikrotik pridavat i do kafe, jinak to nepujde. Ja jsem tim zaujetim stupidnima omezenejma krabickama konsternovan. Usetri se par supu pri nakupu a pak se furt resi co nejde a co jde a po mesicich zkoumani se ta usetrena tisicovka konecne "vrati" (pokud vam staci minimalni mzda nebo je sef debil)
-
Ahoj,
v konfigu /etc/ipsec.conf vidim preklep v IKE proposal
ike=aes128-saha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
by melo byt
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
Tomas
-
Hlavne je treba mikrotik pridavat i do kafe, jinak to nepujde. Ja jsem tim zaujetim stupidnima omezenejma krabickama konsternovan. Usetri se par supu pri nakupu a pak se furt resi co nejde a co jde a po mesicich zkoumani se ta usetrena tisicovka konecne "vrati" (pokud vam staci minimalni mzda nebo je sef debil)
Takže neovládáš mikrotik, ok.
-
v konfigu /etc/ipsec.conf vidim preklep v IKE proposal
ike=aes128-saha256-ecp256,aes256-sha384
Diky za tip. Opraveno, ale stejne nepomohlo :-(
-
Obecně:
No proposal chosen znamená to, že peerA nemá neprázdnou množinu šifer s peeremB.
Neshodnou se na sestavení tunelu.
Konkrétně pokud se k tomu dostanu to taky vyzkoušim, mam zkušenosti pouze s kombinacemi jiných výrobců.
-
mozno by sa hodila konfiguracia mkt...
-
Tak jsem zacal misto samotneho IPsec zkouset L2TP/IPsec a stale bez uspechu.
Me configy:
root@vpn:/# cat /etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
uniqueids=no
conn wtf
type=transport
pfs=no
rekey=no
keyingtries=1
left=%any
leftprotoport=udp/l2tp
leftid=@88.86.113.219
right=%any
rightprotoport=udp/%any
auto=add
aggressive=yes
keyexchange=ikev1
leftauth=psk
rightauth=psk
leftauth2=xauthpsk
rightauth2=xauthpsk
root@vpn:/# cat /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 88.86.113.219
[lns default]
ip range = 10.10.100.10-10.10.100.250
local ip = 10.10.100.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = TEST_VPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
root@vpn:/# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
Stale vsak vidim jen tuto chybu:
Oct 31 15:27:41 vpn charon: 03[NET] waiting for data on sockets
Oct 31 15:27:41 vpn charon: 14[NET] received packet: from 77.78.90.200[500] to 88.86.113.219[500] (364 bytes)
Oct 31 15:27:41 vpn charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 31 15:27:41 vpn charon: 14[IKE] remote host is behind NAT
Oct 31 15:27:41 vpn charon: 14[CFG] candidate "wtf", match: 1/1/28 (me/other/ike)
Oct 31 15:27:41 vpn charon: 14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 31 15:27:41 vpn charon: 14[NET] sending packet: from 88.86.113.219[500] to 77.78.90.200[500] (372 bytes)
Oct 31 15:27:41 vpn charon: 04[NET] sending packet: from 88.86.113.219[500] to 77.78.90.200[500]
Oct 31 15:27:42 vpn charon: 03[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500]
Oct 31 15:27:42 vpn charon: 03[NET] waiting for data on sockets
Oct 31 15:27:42 vpn charon: 16[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500] (76 bytes)
Oct 31 15:27:42 vpn charon: 16[ENC] invalid ID_V1 payload length, decryption failed?
Oct 31 15:27:42 vpn charon: 16[ENC] could not decrypt payloads
Oct 31 15:27:42 vpn charon: 16[IKE] message parsing failed
Oct 31 15:27:42 vpn charon: 16[ENC] generating INFORMATIONAL_V1 request 3597591477 [ HASH N(PLD_MAL) ]
Hesla jsem kontroloval asi 10x.
Klientem je Mikrotik hAp lite.
Uz jsem uplne bezradny :-(
Uvitam jakykoliv tip, jak rozjet funkcni kombinaci L2TP/IPsec server na linuxu a Mikrotik klientu.
Radsi bych mel overovani certifikaty, ale preziju i IPsec PSK (klikatko na vpn ve winboxu mic jineho nenabizi) a jmena+hesla na L2TP.
-
Ahoj, kedysi som nastavoval ipsec medzi libreswan a libreswan -fungovalo. Vcera som riesil Ipsec medzi mikrotik a mikrotik - fungovalo.. Mozem to skusit v rychlosti ked budem mat cas na libreswan a mikrotik ci sa mi to rozbehne..
Kazdopadne takto od oka vidim , ze v mikrotiku mas nastavene ip ipsec peer, ale nemas nastavenu ip ipsec policy takze zatial skromne tipujem , ze problem bude niekde tam. Alebo nejake dalsie parametre v peer.
Pripadne zapni debug log na ipsec
system logging> add topics=ipsec,!debug
a potom
Log print
a ukaz co to pise.
-
Dokazal by mi nekdo poradit, jak nastavit StrongSwan, aby fungoval, jako IPsec VPN server pro MikroTik klienty?
Dobrý den,
se StrongSwanem vám neporadím, ale IPSec tunely mezi Mikrotik routery a linuxovým serverem k plné spokojenosti už roky provozuji pomocí Racoon.
Návod pro nastavení je zde: https://wiki.debian.org/IPsec
-
Aktualne zkousim tento ipsec server config https://forum.root.cz/index.php?topic=19874.msg294389#msg294389
a v mikrotiku pouzivam ppp->interface->l2tp client a vyplnim tu tabulku. Nic jineho jsem v mikrotiku nenastavoval a porad stejna chyba:
Nov 5 10:23:29 vpn charon: 03[NET] waiting for data on sockets
Nov 5 10:23:29 vpn charon: 06[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500] (76 bytes)
Nov 5 10:23:29 vpn charon: 06[ENC] invalid ID_V1 payload length, decryption failed?
Nov 5 10:23:29 vpn charon: 06[ENC] could not decrypt payloads
Nov 5 10:23:29 vpn charon: 06[IKE] message parsing failed
-
Ten odkazovaný config hovoří o použití xauth na tom strongswan serveru. Pokud na ROSu nastavíš L2TP/IPsec přes L2TP volby s automatickým IPsec configem, tak Xauth nepoužije (použije pre-shared-key a ne pre-shared-key-xauth).
Pokud máš stále zapnuto Xauth na IPsec serveru a ROS s L2TP automatický IPsec, tak ta hláška "invalid ID_V1 payload length, decryption failed?" odpovídá tomu stavu.
Jiná možnost je chybné to sdílené heslo, ale pokud jsi ho nastavoval 10x (jo, při pohledu na storngswan verzi, zkus pro jistotu PSK bez podivných nealfanumerických znaků, občas z toho bývalo překvapení).
-
Tak jsem upravil config, aby v nem nebyl XAUTH, ale chyba je stale stejna:
# cat /etc/ipsec.secrets
%any %any : PSK : "testABC"
%any %any : XAUTH : "testABC"
# cat /etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
uniqueids=no
conn wtf
type=transport
pfs=no
rekey=no
keyingtries=1
left=%any
leftprotoport=udp/l2tp
leftid=@88.86.113.219
right=%any
rightprotoport=udp/%any
auto=add
keyexchange=ikev1
leftauth=psk
rightauth=psk
Nejaky napad, co jeste upravit?
-
Za 1000,- to nastavim.
-
Hlavne je treba mikrotik pridavat i do kafe, jinak to nepujde. Ja jsem tim zaujetim stupidnima omezenejma krabickama konsternovan. Usetri se par supu pri nakupu a pak se furt resi co nejde a co jde a po mesicich zkoumani se ta usetrena tisicovka konecne "vrati" (pokud vam staci minimalni mzda nebo je sef debil)
Co bys použil, resp. navrhuješ použít, místo Mikrotiku?